2014.10.02 12:04 "[Tiff] Vulnerability CVE-2010-2596", by Petr Hracek

2014.10.02 13:55 "Re: [Tiff] Vulnerability CVE-2010-2596", by Bob Friesenhahn

Hi tiff folks,

I would like to ask you whether CVE-2010-2596 is planned to be released in libtiff-3.9? http://bugzilla.maptools.org/show_bug.cgi?id=2209

Similar code is mentioned aroung line 643 in tiff_ojpeg.c

Libtiff is certainly due for some new releases since it has not had a release since September, 2012.

Tom Lane's patch avoids the assertion but it apparently does not solve the parsing issue.

There are are many other fixes already in libtiff CVS waiting to be released.

Bob Friesenhahn
bfriesen@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/